> The proposed SQRL scheme derives all application specific keys from a single master key. This essentially provides a single juicy target for attackers to go after.
That sounds like the same problem password managers have. And yet they are still recommended over (re-)using your own passwords for each website.
The crucial difference is that with a password manager, passwords are protected by a master key, but not derived from it. So you can rotate passwords whenever you want, either proactively or reactively, mitigating the effects of a password database compromise.
Why is that? I've heard lots of people saying that, but not had any concrete reasons why. As far as I know, he's generally correct about the things he discusses. And pretty good at making technical discussions interesting.
Steve has been on public record for at least the past 12 years weekly on Security Now explaining things clearly and carefully. I've learned a lot from him and am very thankful.
If he even makes a tiny mistake on a podcast episode about something he comes back with a correction the next week.
He's been sharing his knowledge and expertise generously and a lot of people like me enjoy listening to him for 2 hours every week.
Yeah, I've seen that site - 1 item in the last 10 years. Not a lot considering that he broadcasts 2 hrs a week. Maybe he's improved since the early 2000s?
Anything else? I don't really understand the extreme reaction he seems to get.
That sounds like the same problem password managers have. And yet they are still recommended over (re-)using your own passwords for each website.